Skip to content

Reporting security issues

Don't open a public issue for security reports. Use GitHub's private advisory flow.

Private advisory

Go to https://github.com/guygrigsby/pluma/security/advisories/new and file there. This is the canonical channel.

What helps a triage:

  • The Pluma version (output of pluma --version, or a commit SHA).
  • The OS + browser if relevant.
  • A clear reproduction or a proof-of-concept.
  • The blast radius you observed (filesystem read, RCE, auth bypass, etc.).
  • A suggested CVSS vector if you've got one (not required).

You'll get an acknowledgement within 72 hours.

Public discussion

After the fix lands and a release is cut, the advisory becomes public on GitHub. Pluma will credit reporters by name (or alias / "anonymous") in the release notes unless you ask otherwise.

Bug-bounty status

No formal bug-bounty program. Pluma is a small indie project — there's no budget. Acknowledgements and shout-outs in release notes are what I can offer.

What's out of scope

  • require_auth = false exposed publicly. That setting is a documented dev-mode escape; running it on a public-facing instance is misconfiguration, not a bug.
  • Self-XSS via paste-into-character-field. Pluma sanitises rendered Markdown through DOMPurify with strict ALLOWED_TAGS / ALLOWED_ATTR. Reports that require the user to deliberately paste hostile content into their own card body are not security issues.
  • LLM prompt-injection in chat content. The model side is the model's concern; Pluma doesn't claim to defend against an upstream that decides to follow instructions encoded in user text. We strip markdown for the TTS path because the codec can't pronounce asterisks, not because asterisks are a vulnerability.
  • SmartScreen / Gatekeeper warnings on unsigned binaries. Code signing is tracked separately (smelt-37b); these warnings are an OS behaviour, not a Pluma bug.

Coordinated disclosure window

90 days from acknowledgement to public release is the default. Negotiable for complex fixes. Reporters can request earlier disclosure if a patch is already in users' hands.

Cryptography notes

Pluma uses Go stdlib primitives + go-webauthn. Any report alleging a weakness in those upstream libraries goes through the upstream's reporting flow first; Pluma's job is to incorporate their fix once it lands.